JBoss Developer: Message ListMost recent forum messageshttps://developer.jboss.org/?view=discussionsJive Engage2014-04-30T23:05:02Z2014-04-30T23:05:02ZenRe: JPA + LDAP authShane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-04-30T23:05:02Z2014-04-30T23:05:02Z<!-- [DocumentBodyStart:0825cb5b-0494-4b0a-81d9-7aac2627a67b] --><div class="jive-rendered-content"><p>I think that you would need to implement the switching logic at a higher level than the CredentialHandler.&#160; Perhaps it might be necessary to also have two Credentials implementations to support both types of authentication.</p></div><!-- [DocumentBodyEnd:0825cb5b-0494-4b0a-81d9-7aac2627a67b] --><img src='/beacon?t=1481289987364' />2014-04-30T23:05:02Z2 years 7 months ago0Re: Re: JPA + LDAP authShane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-04-29T22:58:56Z2014-04-29T22:58:56Z<!-- [DocumentBodyStart:20ab985b-9098-471d-a03a-d1b956f99269] --><div class="jive-rendered-content"><p>Just to add to this advice given by Pedro, another possibility is that you subclass your user class and store one type in LDAP, one in the database.&#160; So for example say your User class looks like this:</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><!--[CodeBlockStart:b5290714-4df6-4c33-91e8-3836b70df197][excluded]--><pre class="java" name="code">
public class User implements Account {
&#160; // properties, getters and setters
}
</pre><!--[CodeBlockEnd:b5290714-4df6-4c33-91e8-3836b70df197]--><div style="display:none;"></div><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Then extend this to create another user class:</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><!--[CodeBlockStart:3cc27ead-f728-474a-af7c-1af974f97350][excluded]--><pre class="java" name="code">
public class LDAPUser extends User { }
</pre><!--[CodeBlockEnd:3cc27ead-f728-474a-af7c-1af974f97350]--><div style="display:none;"></div><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Once you've done that, configure PicketLink to store User identities in the database, and LDAPUser identities in the LDAP directory.&#160; The only additional step should be adjusting your authentication logic so that it will attempt authentication using both identity types (i.e. try the first one, if it fails then try the second).</p></div><!-- [DocumentBodyEnd:20ab985b-9098-471d-a03a-d1b956f99269] -->2014-04-29T22:58:56Z2 years 7 months ago0Re: The best way to implement a permssion web control.Shane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-03-31T23:55:38Z2014-03-31T23:55:38Z<!-- [DocumentBodyStart:5bbc838c-ab1b-4dd6-99da-f676df4adfbc] --><div class="jive-rendered-content"><p>It could most likely be a bug in our code.&#160; Could you describe your database schema in a little more detail?</p></div><!-- [DocumentBodyEnd:5bbc838c-ab1b-4dd6-99da-f676df4adfbc] -->2014-03-31T23:55:38Z2 years 8 months ago0Re: The best way to implement a permssion web control.Shane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-03-31T03:14:09Z2014-03-31T03:14:09Z<!-- [DocumentBodyStart:dee92698-f916-435a-9524-dd71e31de83e] --><div class="jive-rendered-content"><p>You should actually receive a list of IdentityPermission objects, which has a getAssignee() method that returns the IdentityType to which the permission is assigned.&#160; If you're only getting an ID and nothing else, then it's a bug.</p></div><!-- [DocumentBodyEnd:dee92698-f916-435a-9524-dd71e31de83e] -->2014-03-31T03:14:09Z2 years 8 months ago20Re: The best way to implement a permssion web control.Shane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-03-31T01:00:26Z2014-03-31T01:00:26Z<!-- [DocumentBodyStart:7fb3a1dc-6d6f-4a29-a511-b3e5ef6d1ca0] --><div class="jive-rendered-content"><p>Hi Michael,</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>The Permissions API is still a work in progress and won't be fully complete until the 2.6.0.Final release.&#160; Having said that though it should be already possible to use it in the way that you're describing.&#160; I have been thinking a bit about how a permission management UI should look but haven't come up with anything definitive as yet, although what you have looks like a good start however I would "invert" what you have and make the resource something you select, and then display the assigned permissions for it.&#160; I'll try to explain further below while answering your other questions:</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>1) It is actually quite a challenge to list Permissions based on an identity type.&#160; We are currently working on a feature called permission inheritance chains which is planned for the 2.6.0.Final release.&#160; Basically this feature will give you the ability to declare the "flow" of privileges between the assignee (such as a group or role) and a user.&#160; For example, if user A is the member of group B, and group B is assigned role C, then any permissions assigned to role C should also apply to user A.&#160; Hope I explained it clearly, but basically you can't just assume that a permission will be assigned directly to a user, hence no user parameter in the listPermissions() methods in the PermissionManager interface.&#160; Instead, from a permission management point of view you should query by the resource that you're interested in to determine which permissions exist for that resource, hence the suggestion above to invert your UI.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>2) Sorting operations are currently up to you, if you want a Map that contains the permissions for multiple resources then that will require multiple calls to listPermissions() to populate that Map.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Hope that helps a bit!</p></div><!-- [DocumentBodyEnd:7fb3a1dc-6d6f-4a29-a511-b3e5ef6d1ca0] -->2014-03-31T01:00:26Z2 years 8 months ago40Re: PicketLink / Drools / DeltaSpike SecurityShane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-03-20T00:00:08Z2014-03-20T00:00:08Z<!-- [DocumentBodyStart:fe458ee4-e791-4079-a12b-c8f20f03ab6f] --><div class="jive-rendered-content"><p>Hi Florian,</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Currently support for Drools-based permissions is only experimental.&#160; We are waiting for the Drools team to respond to DROOLS-299 and until this happens the feature (and the associated quickstart) will remain in development.&#160; That being said however, I'll try to answer some of your other questions.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><blockquote class="jive-quote"><span style="color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">-Where does the Identity parameter come from? The DeltaSpike documentation gives this signature:</span></blockquote><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>The Identity parameter is treated as an injection point, and so the standard Identity bean will be injected here.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><blockquote class="jive-quote"><span style="color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">-Where exactly is Drools coming into play?</span></blockquote><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>The actual firing of the rule happens in DroolsPermissionVoter - source code here:</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p><a class="jive-link-external-small" href="https://github.com/picketlink/picketlink/blob/master/modules/idm/drools/src/main/java/org/picketlink/idm/drools/DroolsPermissionVoter.java" rel="nofollow">picketlink/modules/idm/drools/src/main/java/org/picketlink/idm/drools/DroolsPermissionVoter.java at master &#183; picketlink/&hellip;</a></p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>The DroolsPermissionVoter is invoked by the Permissions API when you call the hasPermission() method (so that's where the connection is).&#160; It is created by the PermissionVoterProducer, which is where we have currently hit a roadblock and are waiting for a response to DROOLS-299:</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p><a class="jive-link-external-small" href="https://github.com/picketlink/picketlink/blob/master/modules/idm/drools/src/main/java/org/picketlink/idm/drools/PermissionVoterProducer.java" rel="nofollow">picketlink/modules/idm/drools/src/main/java/org/picketlink/idm/drools/PermissionVoterProducer.java at master &#183; picketlin&hellip;</a></p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>If you would like to take a look at this we would be grateful for any contribution made to help get this feature working.&#160; I believe that rule-based permissions used to be quite popular in Seam and it would be nice if we could provide equivalent functionality in PicketLink.</p></div><!-- [DocumentBodyEnd:fe458ee4-e791-4079-a12b-c8f20f03ab6f] -->2014-03-20T00:00:08Z2 years 9 months ago20Re: Granting Permissions with JPA (NPE)Shane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-03-11T06:35:26Z2014-03-11T06:35:26Z<!-- [DocumentBodyStart:0ffb0819-5b14-4fb3-9964-4f1625259039] --><div class="jive-rendered-content"><p>Hmm, you'll probably need to add a producer method for the PersistentPermissionVoter.&#160; We should probably provide this in the base module of PicketLink itself.&#160; For now, adding the following producer method somewhere in one of your beans *should* work:</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>@Produces @ApplicationScoped</p><p>public PermissionVoter producePermissionVoter(PartitionManager partitionManager) {</p><p>&#160;&#160; return new PersistentPermissionVoter(partitionManager);</p><p>}</p></div><!-- [DocumentBodyEnd:0ffb0819-5b14-4fb3-9964-4f1625259039] -->2014-03-11T06:35:26Z2 years 9 months ago20Re: Granting Permissions with JPA (NPE)Shane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-03-11T01:01:59Z2014-03-11T01:01:59Z<!-- [DocumentBodyStart:3c345971-5997-4d60-90d7-4a2c9113dfd2] --><div class="jive-rendered-content"><p>You shouldn't need the @PermissionsHandledBy annotation as PicketLink provides built-in support for entity bean permissions already.&#160; You will need an entity annotated with @PermissionManaged to store your permission records (I'll make a note that we need to cover this in the reference docs) - check out the following class for an example:</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p><a class="jive-link-external-small" href="https://github.com/jboss-developer/jboss-picketlink-quickstarts/blob/master/picketlink-authorization-acl/src/main/java/org/jboss/as/quickstarts/picketlink/authorization/acl/model/ResourcePermission.java" rel="nofollow">jboss-picketlink-quickstarts/picketlink-authorization-acl/src/main/java/org/jboss/as/quickstarts/picketlink/authorizatio&hellip;</a></p></div><!-- [DocumentBodyEnd:3c345971-5997-4d60-90d7-4a2c9113dfd2] -->2014-03-11T01:01:59Z2 years 9 months ago40Re: Re: Errai Security with PicketlinkShane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-02-27T23:08:56Z2014-02-27T23:08:56Z<!-- [DocumentBodyStart:16b72599-4be8-4c0f-8500-6885b2386e7c] --><div class="jive-rendered-content"><p>Your code looks ok as far as I can tell.&#160; Could you confirm if the authentication quickstart works ok for you?</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p><a class="jive-link-external-small" href="https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authentication-jsf" rel="nofollow">https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authentication-jsf</a></p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Otherwise I'd be happy to take a closer look if you could package up a minimal project for me that duplicates the issue.</p></div><!-- [DocumentBodyEnd:16b72599-4be8-4c0f-8500-6885b2386e7c] -->2014-02-27T23:08:56Z2 years 9 months ago0Re: Errai Security with PicketlinkShane Bryzak/people/shane.bryzakdo-not-reply@jboss.com2014-02-27T04:31:44Z2014-02-27T04:31:44Z<!-- [DocumentBodyStart:9d275e02-0eef-4bbd-9765-1cde37327a4f] --><div class="jive-rendered-content"><p>Is it a CDI @SessionScoped bean?&#160; Confirming that other session-scoped beans are working is the first step in diagnosing this issue <span aria-label="Wink" class="emoticon-inline emoticon_wink" style="height:16px;width:16px;"></span></p></div><!-- [DocumentBodyEnd:9d275e02-0eef-4bbd-9765-1cde37327a4f] -->2014-02-27T04:31:44Z2 years 9 months ago30